0. We sell domain names

OK, we lied, it’s six reasons, but the first probably isn’t very compelling so let’s get it out of the way first: buying domains gives us beer money.

Obviously we’ve got a commercial interest here, but Mythic Beasts exists because a bunch of students spotted that their university-provided email addresses would stop working once they graduated. We’ve now had the same personal email addresses for over 15 years.

1. Provider independence

This is the big one. Changing your email address is a massive pain. Not only do you need to tell all your human correspondents about your new address, but you need to tell just about every site that you’ve ever logged on to. Most sites use your email address to identify you, and that’s the only address that you can get a password reset sent to if you forget it.

Not so long ago, many people used the “free” addresses provided by their broadband (or dial-up) provider. This had the obvious problem that changing broadband providers meant changing your email address. Having your own domain puts you in control.

2. Real provider independence

Realising the problem of having your email address tied to your connectivity provider, many people have switched to using an address from a free email provider such as Gmail or Yahoo!, but this is really just moving the same problem elsewhere: your email address is now tied to your email provider.

3. Disposable addresses

It’s hard to do anything online without being asked to provide an email address, but how can you trust that your address isn’t going to be added to a spam list? If you have your own domain, you can have as many addresses as you want. You can even have “wildcard” addresses so that you can make up new addresses on the spot. For example, if my address is paul@example.com and I want to sign up to a service at www.somedodgysite.com, I could invent an address of:

paul-somedodgysite@example.com

If I start getting spam sent to that address then firstly, I know which site lost or sold my details and secondly, I can easily setup a rule to bin all mail to that address.

4. More interesting and memorable addresses

Unless you’re lucky enough to have a particularly uncommon name, any address you can get at the big free mail providers is likely to be some complex variant of your name. With your own domain name, you’ve got complete control. You could even have just a single letter such as p@example.com.

This also means that it’s less likely that your email will end up in someone else’s inbox by mistake. If one of your friends forgets that you’re joebloggs1937@gmail.com rather than just joebloggs@gmail.com, the email will get delivered to someone else. With your own domain, it’s far more likely that typo-ed addresses will get bounced, and the sender will notice the mistake.

5. Domains are cheap

We sell UK domains for just £7+VAT for two years. £3.75 a year is a tiny price to pay for being in control of your own online identity. There’s also now a huge variety of generic top-level domains that can be had for not much more – .beer, .bike, .click, .cymru, .engineer, .guru, .scot, .wales, .wtf and hundreds more.

Of course, to use your domain, you’ll need somewhere to host it. We can sell you a hosting account too, but you don’t have to use us if you don’t want to. That’s the point!

We will be reviewing the details as soon as the vulnerability is released, and will be patching the affected servers shortly after the updated packages are released, if necessary we will be contacting customer to reissue keys as we did after the now infamous Heartbleed vulnerability.

If you have any questions, or would like to upgrade to a manged service so we catch these kinds of issues for you, you can contact us at support@mythic-beasts.com.

Disks just keep getting bigger. So, as the technology allows, we like to increase the disk space allocations of our hosting accounts too. We have just doubled the allocations of all our web hosting accounts. For the Super account, we’ve given it a 2.5x boost.

All of our web hosting accounts can host as many domains as you want (free, provided the domains are registered with us), with as many email addresses, mailboxes, and web pages as you want. You are limited only by the total disk space. And if that’s not enough, it’s easy to upgrade from size of account to the next.

Finally, please don’t be misled by the picture above. We no longer use floppy disks for storage. Instead, all our web hosting servers now use mirrored “enterprise grade” SSDs for the best possible performance.

When you visit a web page, you’ll often see the URL change as it loads. For example, if you attempt to visit http://mythic-beasts.com you’ll end up at https://www.mythic-beasts.com . This is achieved using HTTP redirects, a response from a server that tells your browser that the page it is trying to load has moved.

HTTP redirects come in two flavours:

Permanent (301)

This tells the client that the page requested has moved permanently, and crucially, if it wants to load the page again, it needn’t bother checking the old URL to see if the situation has changed. This is a good way of redirecting something that you never want to undo, for example, if you’re permanently moving a website from one domain to another.

Temporary (302)

As the name suggests, this tells the client that the page has moved, but only temporarily, so the client should continue requesting the old URL if it wants to load the page again. This is a good way of telling users that your site is down for maintenance, that they they don’t have enough credit to access a site, or of some other issue that is likely to change.

Getting this wrong can be a massive pain for your users. For example, Three use a permanent redirect if you’ve run out of credit on your data plan, or you’re trying to use tethering in the wrong country, or some other temporary problem.

Now find a working internet connection, attempt to load http://www.xkcd.com, and find that your browser quite reasonably takes you straight to the Three fail page, even if you’re no longer using a Three connection. Shift+Reload doesn’t help, even restarting your browser may not help.

Three have told your browser that every page you visited whilst out of credit has moved permanently to their fail page.

Expiring permanent redirects

The example given above is very obviously a place where a temporary 302 redirect should be used, but webmasters are often encouraged to prefer 301s in the name of improving search rankings. 301 redirects allow you to tell search engines that your .co.uk site really is the same site as your .com site, thus accumulating all your google juice in the right place. They also save a small amount of time in loading the page by avoiding an unnecessary HTTP request.

Even when used legitimately, 301 redirects are obviously hazardous, as there’s no way to undo a permanent redirect once it’s been cached by a client.

The safe way to do a 301 redirect is to specify that it will expire, even if you don’t expect to ever change it. This can be done using the Cache-Control header. For example, the redirect that we issue for http://mythic-beasts.com includes the following header:

Cache-Control: max-age=3600

This tells clients that they can remember the redirect for at most one hour, allowing us to change it relatively easily at some point in the future. We use the mod_expires Apache module to create this header, which also produces an equivalent “Expires” header (the old HTTP 1.0 equivalent of Cache-Control).

The RewriteRule is used to sent an environment variable which is used to conditionally add a Cache-Control header. Thanks to Mark Kolich’s blog for the inspiration.

Escaping 301 hell

Fortunately, if you’re unlucky enough to get caught by a broken 301 redirect, such as the one issued by Three, there is an easy way to get to the page you actually wanted: simply append a query string to the end of the URL. For example, http://www.xkcd.com/?foo=bar. Browsers won’t assume that the cached redirect is valid for this new URL and websites will almost always ignore unexpected query parameters.

Like it or not, IPv6 is here and the predictions of a lengthy period of being dual stack were wrong. Nobody bothered to turn on IPv6 until IPv4 ran out, then instead of IPv6 and Network Address Translation we’re skipping quickly to IPv6 only. If your application doesn’t work on an IPv6 only network an increasing fraction of users simply can’t use it.

At Mythic Beasts we’ve been using IPv6 for a long time. Two years ago we rebuilt the hosting infrastructure for Raspberry PI to be IPv6 only for all internal connections. A future article will explain our scale up to vastly more VMs, many IPv6 only. IPv6 at Mythic Beasts isn’t an add-on, if our IPv6 connectivity breaks, customers go offline. We’re steadily working on spreading IPv6 connectivity throughout other providers.

. @akismet we’ve some VMs on an IPv6 only network which do everything perfectly apart from talk to you, any chance of an AAAA record? #IPv6

We’ve been offering developers IPv6 only Virtual Machines for experimentation for a while, and have one of the most comprehensive IPv6 connectivity checkers for hosted software which is very good at demonstrating that enabling a v6 address isn’t quite enough.

Every single connection to this website uses IPv6.

The best way to build the hosting infrastructure today, is to have an IPv6 only network for the whole thing and a single IPv4 address on the load balancer for ‘legacy’ IPv4 connections. To give everyone an incentive to do it right, today we’re extending our IPv6 only VM offer – all virtual machines that are IPv6 only will be discounted for the lifetime of the rental.

If you’re really interested, this presentation at the North American Operators Group about the largest US ISPs moving straight to IPv6 only deployments including the information that over 20% of US users have native IPv6.

SSL Certificates do two things. They encrypt the traffic between the end user and the website, and they provide authentication that confirms the website is who they say they are. As we previously wrote about at present the authentication step is done using a piece of maths called SHA-1.

What the SHA-1 function does, is to provide a signature that says ‘The Certificate Authority confirms that the public key for Mythic Beasts is ….’. It’s extremely important that nobody else can forge this signature, otherwise anybody could present their public key instead of the Mythic Beasts public key and intercept all of the data.

Now SHA-1 has been subject to a lot of analysis by people attempting to forge keys, and slowly progress has been made. SHA-1 has not been “broken”, but thanks to improvements in mathematics and computing, the estimated cost of forging a certificate has steadily fallen from more-money-than-exists to a-large-country-could-do-it and in the next 5 years is likely to reach script-kiddy-with-a-botnet-could-do-it.

So Google, Firefox and others now refuse to accept SHA-1 based certificates that will last into 2017. Whilst you can’t forge them now, in two years time it’s likely that well funded organizations may be able to do so. As a result, the Internet has had to migrate to SHA-2, a new function that achieves the same as SHA-1 for proving authenticity but has no known attacks: forging a SHA-2 signature is currently believed to be entirely infeasible. Google’s announcement of their intention to deprecate SHA-1 was greeted with dismay and anger, but in the end had the desired effect. The certification authorities moved quite quickly to make SHA-2 the default.

At Mythic Beasts this week, we replaced our SSL certificate for all our servers. As expected, the new certificate we were issued was SHA-2 based. Deployment of the new certificate went smoothly, sufficiently smoothly that not a single customer noticed. A short time later we realised that we now didn’t seem to receive any support mail at all.

Our ticket tracking system runs on top of mono, an open source reimplementation of .NET. The older version of mono it uses doesn’t have support for SHA-2 certificates, so our tracker was seeing the secure connection, failing to authenticate and refusing to send or receive email. Briefly we worked around this by turning encryption off for the support system – as the traffic is entirely within our network we aren’t so worried about it being intercepted.

However, we know that our end-users use a wide variety of different clients for email, some of which are quite old and obscure. So we thought it was rather likely that we were breaking email functionality for existing customers with the SHA-2 certificate. We decided the sensible thing to do would be to use the new SHA-2 certificate just for websites, and obtain a new SHA-1 certificate for mail applications.

We will face the same issue again in 12 months. (Except we don’t even know if the certification authority will still offer the choice of getting a SHA-1 certificate then.) We’re hoping that a year will force a number of updates to mail clients and system libraries such that next year we can deploy SHA-2 everywhere. Eventually, we will have to draw a line, and say that if our customers’ clients don’t support SHA-2, they will have to upgrade them, or use unencrypted access.

In a little known fact, here are two old men singing about SSL security beginning with a limited understanding of SHA hashes. It delightfully uses the metaphor of a journey to meet their loved one to show how the process of security is a continuous process that can never be fully achieved.

We’re please to announced that we can now set DS records for any domains registered with us. At present, only UK domains can be configured through the control panel. For any other domains, please email support and we’ll put the records in place for you.

Control panel integration and other DNSSEC improvements will be coming soon.

We’ve just rolled out a beta of our snapshot functionality for our virtual servers. This allows you to take an instantaneous image of your servers disk space which can then be restored at a later date to either the same or a different server. This can be used for cloning a virtual server, for backups, or just to take a copy of your server before making significant configuration changes such as an operating system upgrade.

Snapshots are stored in our distributed storage cloud, which replicates the image across three separate data centres.

The system is in beta testing at the moment, and during this beta we’re offering free storage for images. Once the beta is complete, storage space will become chargeable, but we’ll contact all customers who’ve made use of the service prior to issuing any bills.

If you want to try it out, simply use the snapshot panel for your server in the customer control panel, or use the snapshot command on the admin console. Hopefully it’s self-explanatory, if it’s not, tell us and we’ll make it better!

Here at Mythic Beasts it’s fair to say that our staff hold a wide spectrum of political beliefs, but I think one thing we can all agree on is that all the major political parties have at least some irredeemably stupid policies (and possibly also that some of the minor partiesonly have stupid policies).

This makes voting for a political party a pretty depressing prospect. So, what about voting for an elected representative who will look after our interests?

Our founders reside in two constituencies with notable MPs: Witney and Cambridge.

The MP for Witney is notable for being the Prime Minister. The MP for Cambridge, Julian Huppert, is notable for being a Liberal Democrat and yet still being highly regarded by a large number of his constituents.

Now, if you want good data on whether your MP is any good or not, you should head over to the excellent They Work For You and find out what they’ve been up to in Parliament on your behalf.

But who wants good data when you can have some anecdotes? Let’s look at two issues that have got us wound up recently.

Firstly, the EU VAT MESS, which causes us an administrative burden far in excess of the value of the affected revenue.

The appalling jeering by other MPs, and the pathetic response given by Theresa May, to Julian Huppert’s questions asked in Parliament demonstrated the he was clearly one of the few MPs who actually grasped the implications of the proposal, rather just resorting to rhetoric that fuels the fear that terrorism relies on.

As for David Cameron, well, it’s his idea.

So what can we conclude from this? Not a lot, except that we’d probably be in a far better place if parliament were full of representatives who listened to and understood their constituents, rather than those who get in on the strength of a party political vote.